Description

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC (Role-Based Access Control) filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated string. This behavior allows attackers to bypass RBAC policies—specifically "Deny" rules—by sending duplicate headers, effectively obscuring the malicious value from exact-match mechanisms. This vulnerability is fixed in 1.37.1, 1.36.5, 1.35.8, and 1.34.13.

INFO

Published Date :

2026-03-10T19:01:28.062Z

Last Modified :

2026-03-10T20:12:40.604Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-26308 vulnerability.

Vendors Products
Envoyproxy
  • Envoy
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-26308.

URL Resource
https://github.com/envoyproxy/envoy/commit/b6ba0b2294b98484fb0ed8556897d1073cc27867 cve-icon cve-icon
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ghc4-35x6-crw5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact